Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A book, a database scanner and a magazine column and a few bugs"] [Next entry: "Blog birthday, speaking, training and Oracle Java security"]

Oracle delays the October CPU and 11g Release 2 is out

I got an email from Oracle support last night to tell me that the next Oracle Critical Patch Update, the CPU for October: Here is the email (There are no privacy statements so I am guessing its OK to reproduce the whole email):

September 3, 2009
Oracle Critical Patch Update October 2009

Dear Oracle Customer,

There is a change in the previously announced release date of the October 2009 Critical patch Update.

Since many Oracle customers with responsibility for deploying the Critical Patch Update within their respective organizations will be attending Oracle OpenWorld October 11-15, 2009, the October 2009 Critical Patch Update originally scheduled to be published on Tuesday, October 13th 2009, will be released on October 20th 2009.

Please note: this date change only impacts the October 2009 Critical Patch Update. As usual, Oracle will issue a pre-release announcement on the Thursday before the publication of the Critical Patch Update (Thursday, October 15th). All other aspects of the Critical Patch Update (where to find the documentation, how to download the patches, etc.) remain the same.

The next four Critical Patch Update release dates are:

October 20, 2009
January 12, 2010
April 13, 2010
July 13, 2010

You will be notified via email once the Critical Patch Update for October 2009 has been released.

Thank you,
Oracle Security Alerts

Eric Maurice also blogged about it yesterday but there is no additional information in his blog above whats in the email. Oracle are citing the Open World conference as the reason for the delay; they say that a lot of admins will be at the conference and dont want them to miss it to apply patches.

There are a number of questions we could ask about this:

1) should Oracle delay release of patches to ensure people come to its conference? - Oracle has released Oracle database 11g release 2 a couple of days ago; i was only able to get the download links to work yesterday, i am guessing a lot of people are downloading and the servers are overloaded. So does Oracle want to make sure people come to the conference and get the new product message?
2) If patches are delayed are customers further put at threat because the patches are not available as promptly as they could be?
3) Does this leave an opening for those who release exploits?
4) Does Oracle value marketing over security?
5) surveys in the past have shown that not everyone applies the patches promptly anyway so is there bad news in the patch that Oracle don't want to overshadow Open World news with?
6) Fill in your own question?

Personally I don't see a major conflict with leaving the patch date as it was. Most people will not apply the patch during open world if it was available anyway. Maybe it is just to prevent any possible distractions caused by managers who would feel their staff cannot leave work during a CPU release and attend a conference?

Interesting though!